none
Multiple kerberos and 40960s on 2003 Domain controller

    Question

  • We have a Windows 2003 SP2 Domain Controller. It is the only DC in the domain. Today everything stopped working (DNS not working, only cached logins work, etc.)

    I found a bunch of LSASRV 40960 errors that say The Security System detected an authentication error for the server cifs/"servername" The failure code from the authentication protocol Kerberos was "The attempted logon was invalid. This is either due to a bad username or authentication information." (0xc00006d) 

    I also get the same error for LDAP/"servername" and for DNS/ns1.ena.com. And another error says the same thing but points to the server cifs\"oldserver" which hasn't been used since about 2006. The error never came up before today.

    There are Kerberos errors EventID: 4 "The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/FQDNDC. The target name used was DOMAIN\DC$..." The same message appears with the target name of cifs/DC.DOMAIN

    I'm also getting an NetBT error that the name "Domain    :1d" could not be registered on the interface x.x.x.x (the DC's IP). The machine with address x.x.x.x did not allow the name to be claimed by this machine."

    Any ideas? I'm getting a lot of error messages but not quite sure which one is the root cause or even if they are all related.


    Wednesday, August 21, 2013 3:45 PM

Answers

  • Hi,

    Based on your description, I assume you had changed something recently.

    If you had changed the domain admin password, maybe the service on the server would try to authenticate with the old password.

    I recommend you disable computer account password changes on the affected host and rejoin the domain.

    You can change the registry parameter of “DisablePasswordChange” to 1(HLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters).

    Since the server (cifs\"oldserver) hadn’t been used anymore, I suggest you delete the unused computer account in the AD DS.

    Besides, please also check the time settings on all your computers. Time has to be in sync in AD for authentication.

    Best regards,

    Susie Long

    Friday, August 23, 2013 1:04 AM
    Moderator

All replies

  • Hi,

    Based on your description, I assume you had changed something recently.

    If you had changed the domain admin password, maybe the service on the server would try to authenticate with the old password.

    I recommend you disable computer account password changes on the affected host and rejoin the domain.

    You can change the registry parameter of “DisablePasswordChange” to 1(HLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters).

    Since the server (cifs\"oldserver) hadn’t been used anymore, I suggest you delete the unused computer account in the AD DS.

    Besides, please also check the time settings on all your computers. Time has to be in sync in AD for authentication.

    Best regards,

    Susie Long

    Friday, August 23, 2013 1:04 AM
    Moderator
  • Does your DNS MMC snap-in open ? Seem a DNS issue.

    If it does not open, I guess it's an integrated's zone into your AD ? Then go in Active Directory Restore Mode, and scan you AD database to be sure it's healhtly. Esentutl /g c:\windows\ntds\ntds.dit (/g to check, /p to repair)

    Thanks


    MCP | MCTS - Exchange 2007, Configuring | Member of TechNet Wiki Community Council | French Moderator on TechNet Wiki (Translation Widget)

    Friday, August 23, 2013 2:05 AM
    Moderator
  • Hello,

    was there a restore done on the DC? If yes, which kind of option did you use as backup before?

    I would ask you to upload the following files to verify:

    ipconfig /all >c:\ipconfig.log [from each DC/DNS Server]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.log
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Sunday, August 25, 2013 10:33 AM
  • I deleted the entries in the registry referring to the old server with no luck. I also checked the AD but there was no account for the old server.

    We are in the process of taking our domain structure from 16 domains to 1. This one was slated to be moved in the spring. I just bumped up the date. It's now functioning fine as a DC in a different domain.

    Thanks for all of your input.

    Thursday, August 29, 2013 4:00 PM